WTF-WFP is a lightweight, easy to use, PowerShell module that helps you debug and analyze the Windows Filtering Platform. The advantage WTF-WFP has is that it enables one to understand the WFP without familiarizing oneself too much with the WFP API.
WTF-WFP utilizes NtObjectManager to access the WFP APIs (and a bunch of other helpful functions it exposes). To install, simply run the following from an elevated PowerShell shell:
Install-Module -Name NtObjectManager
Install-Module wtf-wfp
Now the Get-WFPInfo command should be available. You can validate and get more info via the help command:
Get-Help Get-WFPInfo
To start analyzing the WFP, select which network interface you wish to analyze, for which protocol, and in which direction (inbound or outbound). There are additional parameters, but these ones are the most basic which will probably give you most of the infromation you need. Here are a couple of examples:
To get filters for inbound Udp traffic for local IPv4 10.0.0.1
Get-WFPInfo -inbound -localAddress 10.0.0.1 -protocolType Udp
To get filters for outbound Tcp traffic from address IPv4 10.0.0.1 towards 172.16.5.5 for remote port 3389, and also save the WFP data into csv
Get-WFPInfo -outbound -localAddress 10.0.0.1 -protocolType Tcp -remoteAddress 172.16.5.5 -remotePort 3389 -csvPath "c:\wfp.csv"
Activate a trace for inbound SMB traffic, to see which filters block it:
Get-WFPInfo -inbound -localAddress 10.0.0.1 -protocolType Tcp -localPort 445 -netTrace
Note: MS Defender may alert on NtObjectManager, so you may need to turn off real time protection / set the PS Gallery as trusted / create exclusion for the module.
Taken from the help menu:
PARAMETERS
-inbound [<SwitchParameter>]
Enumerates only inbound filters for the AUTH_RECV_ACCEPT_V4/6 ALE layer.
-outbound [<SwitchParameter>]
Enumerates only outbound filters for the AUTH_CONNECT_V4/6 ALE layer.
-protocolType
Enumerates only filters that match the provided protocol
-localAddress <IPAddress>
If included, only enumerates filters that match the specific local address, the IP family, and the local NIC
-remoteAddress <IPAddress>
If included, only enumerates filters that match the specific remote address.
-localport <UInt16>
If included, only enumerates filters that match the specific local port.
-remoteport <UInt16>
If included, only enumerates filters that match the specific remote port.
-conditionFlag <UInt32>
If included, enumerates filters using FWP_CONDITION_FLAG bitmap
-csvPath <String>
If included, saves the matching filters into a the given path in CSV format
-showAppContainerFilters [<SwitchParameter>]
As long as not present, results do not include filters that are App Container specific
-detailed [<SwitchParameter>]
Prints detailed info about each filter
-netTrace [<SwitchParameter>]
Waits for the user to recreate network issue while activating the WFP trace. The matched traced events a printed to the output, along with the filters that matched.
-addTraceFilters [<SwitchParameter>]
Add a match-all permit filter at each relevant filtering layer.
-allLayers [<SwitchParameter>]
When present, prints more filters at different layers, depending on the inbound/outbound params.
```